Re: The future of forward proxy servers in an http/2 over TLS world

Not sure if this is what is needed as it can get complicated when more 
than one proxy is involved. At least currently browsers do not inform me 
about all the 3rd parties involved, e.g. all the companies which get the 
URL I browse.

- Content from 3rd parties is just displayed even when users do not want 
see it and may be dangerous
- Content from CDNs is just displayed without notifying the user about 
which CDN is delivering the content
- Reverse proxies are not announced to the user
- Requests are send to foreign countries without notifying the user
- When a MITM attack is detected and a local CA certificate is installed 
locally then even this isn't made known to the user by some browsers

It would be nice to see which 3rd parties are involved directly and 
indirectly. In some cases, for example when some intelligence service 
takes the browsed URL from some tracking company but this seems to be 

A proxy is an additional 3rd party which I may trust and want to use 
(for some service it provides) or I have to use, which is the bad case. 
In the first case I don't necessarily need the information about all the 
proxies involved but of cause I want the to know about the latter case.

Is it really bad when a browser allows me to trust a proxy?


Am 28.02.2017 um 22:26 schrieb Poul-Henning Kamp:
> --------
> In message <>, Kari Hurtta writes:
>> Yes, this looks like common sense. And still no one browser does that.
> I think common sense can be summarized as follows:
> 1. If any proxy is involved, both the client and server should know
>     that, so that they can judge for themselves to what extent they
>     want to trust the proxy.
> 2. A legitimate proxy has no reason to try hide its own existence
>     or to deliberately reduce the security, privacy or integrity of
>     the communication, beyond what is required for doing its job.
> 3. It should be as hard as possible to insert and hide an ilegitimate
>     proxy (=MITM attack) which undetected can impact security, privacy
>     or integrity of the communication.
> On the client side the only politically reasonable and neutral
> solution is to announce the precense of a proxy by inserting a
> prominent identification of it above the address bar, so that the
> user sees:
> 	BIGCORP Inc. Proxy (Contact IT/Bill x1234) inspects this connection
> Or as it may be:
> 	ELBONIA Government National & Child safety Proxy inspects this connection
> The "proxybar" should be suitably decorated to indicate if the
> connection to the proxy has any kind of privacy and if there is any
> reason to think that the proxy really is who it claims to be.
> The current "political" stance by the user agents means that literally
> millions of people are behind proxies, legitimate and ilegitimate,
> without knowing it or being able to see it, without significant
> X.509-skillz.
> As for the political fight for a fundamental human right to privacy:
> More people would probably pay attention, if they could clearly see
> who tried to mess with their communication.

Received on Tuesday, 28 February 2017 23:06:25 UTC